MOSEB-12: Vulnerabilities at www.altavista.com
19:46 12.06.2007Next participant of the project is AltaVista search engine. It is one of the popular search engines.
The vulnerabilities are at AltaVista (www.altavista.com) in Images, MP3/Audio, Video and News search. These Cross-Site Scripting holes I found 25.01.2007.
XSS:
- alert(document.cookie)
- alert(document.cookie)
- alert(document.cookie)
- alert(document.cookie)
- redirector
- html injection
The vulnerabilities are in q parameter:
http://www.altavista.com/image/results?q=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
Moral: searching for images, audio, video and news can be dangerous.
Note, that AltaVista engine belongs to Yahoo! Inc. So Yahoo also responsible for these vulnerabilities (as for their own at MOSEB-02).
P.S.
Also I prepared another hole concerned with AltaVista. So wait for today’s bonus post .
Вівторок, 04:29 14.08.2007
5t
Вівторок, 16:40 14.08.2007
nikaury
Yahoo fixed these holes already (in June).